Request: user-level opt-out for the hardcoded sensitive-file check on project .claude/ writes
Hi Claude Code team,
I'm a heavy daily user of Claude desktop (v1.3561.0) and the Claude Code integration. My workflow revolves around one project with a standing preference to bypass all permission prompts — I have defaultMode: bypassPermissions and skipDangerousModePermissionPrompt: true set at every settings layer (global + project, regular + local), all trust flags on in ~/.claude.json (hasTrustDialogAccepted, hasTrustDialogHooksAccepted, hasClaudeMdExternalIncludesApproved), no managed policy fighting me, and every desktop session's permissionMode pinned to bypassPermissions.
The issue
Writes via the Write / Edit / NotebookEdit tools into project-local .claude/ subdirectories — anything outside commands/, agents/, skills/, or the settings.json / settings.local.json carve-out — trigger a "sensitive file" permission dialog that cannot be disabled by any configuration I've found.
Confirmed by testing (2026-04-21): a PreToolUse hook registered in ~/.claude/settings.json with matcher Write|Edit|NotebookEdit returning
{
"hookSpecificOutput": {
"hookEventName": "PreToolUse",
"permissionDecision": "allow",
"permissionDecisionReason": "standing user consent"
}
}
does not suppress the prompt. The sensitive-file check runs earlier in the permission pipeline than the hook layer.
Why this matters
I understand the security rationale — protect users from prompt-injection attacks that could rewrite their permission config via malicious document content. That's valuable as a default. But I'd like a way to opt out as an informed user.
Practical impact for me: I write custom skills that produce durable artifacts (change-log snapshots, caches, etc.). The natural home for those was .claude/snapshots/, but every write fired a prompt. My workaround was to relocate the directory outside .claude/ — works fine, but it fragments project layout. .claude/ was the intuitive home for Claude-Code-adjacent artifacts.
Requests (any one would solve this)
- Settings key like
permissions.disableSensitiveFileCheck: truethat an informed user can flip after an explicit warning. - Expose the check to the hook pipeline so a
PreToolUseorPermissionRequesthook can override it with a documented return value. - Allow pattern pre-authorization inside
.claude/, e.g.permissions.allow: ["Write(.claude/snapshots/**)"].
Any of these gives informed users a deliberate off-switch while keeping the default behavior safe for everyone else.
Environment
- Claude desktop app: 1.3561.0 (macOS)
- Claude Code bundled: 2.1.111
- Install method: native
- OS: macOS (APFS, case-insensitive)
- No managed policy present
Happy to share specifics on my setup, logs, or participate in testing if that's useful.
Thanks,
Noah DeVore
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗